s4-rodc: Fix provision warnings by creating ntds objectGUID in provision
Stefan (metze) Metzmacher
metze at samba.org
Tue May 11 02:35:31 MDT 2010
Anatoliy Atanasov schrieb:
> ----- Original Message -----
>> From: Stefan (metze) Metzmacher <metze at samba.org>
>> To: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
>> Cc: abartlet at samba.org <abartlet at samba.org>, samba-technical at lists.samba.org <samba-technical at lists.samba.org>
>> Sent: Tuesday, May 11, 2010 11:08:20 AM (GMT+02:00) Athens, Bucharest, Istanbul
>> Subject: Re: s4-rodc: Fix provision warnings by creating ntds objectGUID in provision
>>> Anatoliy Atanasov schrieb:
>>> Hi Andrew,
>>>>> On Mon, 2010-05-10 at 09:26 -0500, Anatoliy Atanasov wrote:
>>>>> The branch, master has been updated
>>>>> via 658dac9... v2 Latest enhancements in ldapcmp tool
>>>>> via c3cbb84... s4-rodc: Fix provision warnings by creating
>>>> ntds objectGUID in provision
>>>>> from 8373606... s3-rpcclient: fix two more invalid
>>>> in spoolss commands.
>>>>> commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96
>>>>> Author: Anatoliy Atanasov <anatoliy.atanasov at postpath.com>
>>>>> Date: Mon May 10 13:52:27 2010 +0300
>>>>> s4-rodc: Fix provision warnings by creating ntds objectGUID in
>>>>> Summary of changes:
>>>>> source4/dsdb/pydsdb.c | 23 ++
>>>>> source4/scripting/devel/ldapcmp | 402
>>>>> source4/scripting/python/samba/provision.py | 6 +-
>>>>> source4/scripting/python/samba/samdb.py | 4 +
>>>>> 4 files changed, 294 insertions(+), 141 deletions(-)
>>>> This patch is incorrect, and dangerous.
>>>> As far as I can see from the full patch, you set a GUID into the
>>>> but never actually make any effort to actually make it match the
>>>> that will be stored in LDB.
>>> Right, i misunderstood metze's suggestion to copy
>>> and do the same with objectGUID
>>>> If the ultimate question that is causing this warning is 'am I an
>>>> then set an opaque for that. If it is some other question, then
>>>> cache for that other question. But you can't set an opaque value
>>>> caching an objectGUID unless you also make efforts to ensure that
>>>> objectGUID is what is actually used. However, given that we can't
>>>> easily set an objectGUID on LDAP backends, I've generally preferred
>>>> avoid this practice.
>>> If i understood creating object guid during provision is bad idea,
>>> The thing is that I need it in samdb_rodc, where i switched from
>> using invocationID to objectGUID.
>>> To answer amIRODC i need the NTDS entry for our server from the db
>> and read the msDS-isRODC attribute, which is constructed btw.
>>> Are there other options to do that, but using objectGUID to get the
>> NTDS settings?
>> My suggestion was to have a 'samsb.set_is_rodc()' cached value similar
>> to samdb.set_invocation_id().
>> This way the provision can preset this value.
> I can't do that, because we use msDS-isRODC constructed attribute to decide if we are rodc.
we some thing like this:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 260 bytes
Desc: OpenPGP digital signature
More information about the samba-technical